Microsoft's Outlook e-mail program and peer-to-peer software have been included for the first time in the Sans Institute's annual list of the 20 security vulnerabilities most exploited by attackers.

The Sans (System Administration, Networking and Security) Institute produced its fourth annual top 20 list with the US Department of Homeland Security and Canadian and British cybersecurity agencies.

Download this free guide

The importance of web security

Join us as we take a look at the different approaches you can take in order to bolster your web security. We find out how to identify and address overlooked web security vulnerabilities, how security controls affect web security assessment results and why web opportunities must be met with appropriate security controls.

By submitting my Email address I confirm that I have read and accepted the Terms of Use and Declaration of Consent.

By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.

You also agree that your personal information may be transferred and processed in the United States, and that you have read and agree to the Terms of Use and the Privacy Policy.

The list is intended to be a guide for enterprises and government agencies needing a starting point for fixing their systems, said Alan Paller, director of research at the SANS Institute.

"You may decide you still do not want to fix [the vulnerabilities], but at least you've got control and understand the problem," Paller said. "If you decide to write reports instead of fixing the vulnerabilities, then you deserve the attacks you get."

Five of the top 10 Windows vulnerabilities were new this year to the list, which focuses on the overall vulnerability of protocols, applications and tools. New items on the Windows top 10 list were Outlook/Outlook Express, P-to-P file sharing and Simple Network Management Protocol.

Outlook has been used to send many viruses and worms, but the 40-plus security experts put it on the list for the first time this year, said Erik Kamerling, editor of the list.

Paller said Microsoft had responded to customer pressure to improve security in its software. "There has been a massive shift at Microsoft," he said. "It is nowhere near perfect ... but it's been a mind change."

P-to-P technology poses a number of issues for systems administrators, according to the Sans Institute. These include legal concerns if a company's computers are used to trade copyrighted files, technical concerns from remotely exploitable misconfigurations possible in P-to-P software, and the ease of distribution of malicious code masquerading as legitimate materials traded through P-to-P software.

Three new Unix/Linux vulnerabilities were included on the list this year: clear text services, misconfiguration of enterprise services and Open Secure Sockets Layer.

Remaining on the Linux/Unix list were Apache Web server, Bind (Berkeley Internet Name Domain) and Sendmail, among others.

Paller urged company and agency leaders to start with a small list of the most dangerous vulnerabilities their systems administrators could attack and allow the security team at least 90 days to make progress before requiring them to report results.

Asking systems administrators to test for thousands of vulnerabilities at one time is a recipe for failure, he added.

Top vulnerabilities to Windows systems

1 Internet Information Services (IIS)

2 Microsoft SQL Server (MSSQL)

3 Windows Authentication

4 Internet Explorer (IE)

5 Windows Remote Access Services

6 Microsoft Data Access Components (MDAC)

7 Windows Scripting Host (WSH)

8 Microsoft Outlook Express

9 Windows Peer to Peer File Sharing (P2P)

10 Simple Network Management Protocol (SNMP)

Top vulnerabilities to Unix systems

1 Bind Domain Name System

2 Remote Procedure Calls (RPC)

3 Apache Web Server

4 General Unix Authentication Accounts with No Passwords or Weak Passwords

0 comments

Register

Login

Forgot your password?

Your password has been sent to:

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy